[aspyct]

How is that malware deployed to a machine?

Is that something attackers can install/activate remotely through some kind of RCE, or does it need me to run an executable manually?

In other words, is it still enough to be careful with social engineering, or are we more screwed than that?

[shakna]

> At this point, we have not been able to identify, from our telemetry, the exact distribution channel used to deploy the bootkit to victims. The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet. [0]

Right now, we don't know how it gets its way to the target.

But, we do know that it comes in the form of an installer, which then requires a system reboot to enable persistence, and then another reboot to do its actual job.

> In all subsequent boots, the self-signed UEFI bootkit is executed and deploys both its kernel driver and user-mode payload, the HTTP downloader. Together, these components are able to download and execute additional user-mode and driver components from the C&C server and protect the bootkit against removal

[0] https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

[aspyct]

Thanks :)

[msm_]

> Is that something attackers can install/activate remotely through some kind of RCE, or does it need me to run an executable manually?

This piece of malware is not related to distribution, and must be executed manually (or, more likely, executed by a different malware sample serving as a loader). So you can use it in a social engineering attack, deploy it org-wide after exploiting AD, install it using some kind of RCE, etc.

[mjg59]

The initial infection requires the ability to execute code as admin under Windows, but the writeup notes that it attempts to bypass UAC to gain that even as an unprivileged user (albeit one who is permitted to run code as admin). If you run as a user who doesn't have admin access you should be protected, even if we don't know the initial infection vector.

[323]

> If you run as a user who doesn't have admin access you should be protected,

That's not very reassuring. Privilege escalation on Windows is a well studied subject:

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/mas...